Re: [Axis2] Generation of Keystores

[Ali Sadik Kumlali]

Hi Siamak,I highly recommend you to give Portecle (http://portecle.sourceforge.net/) a try. Thus, you will be able to manage keystores easily. It's superb and open-source. Please pass it English localeproperties before running:java -Duser.language=en -jar portecle.jarAlthough I don't know the theory behind it, followingsworked for me. You might also give a try to it:   axis2 security sample's sec.jks  ----------------------------------------------  - Examine sec.jks with Portecle and see signature algorithm of bob private key as "SHA1withRSA"  - Notice
 signatureKeyIdentifier found in InflowSecurity and OutflowSecurity is set as SKIKeyIdentifier:  <signatureKeyIdentifier>SKIKeyIdentifier</signatureKeyIdentifier>    keytool generated client.jks and server.jks  --------------------------------------------  - Examine client.jks with Portecle and see signature algorithm of client private key as "MD5withRSA"    - Replace SKIKeyIdentifier with DirectReference:  <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>    Hope this works.    Ali Sadik KumlaliSiamak Haschemi <[EMAIL PROTECTED]> wrote:  Hello Ruchith.Thank you very much for that fantastic support. It is not
 naturally that people are so patient :-)I will try to follow your hint, but I already did everything I could imagine.Thank you very much,Siamak HaschemiRuchith Fernando schrieb:> Hi Siamak,>> I will try to get you a step by step project over the week end :-)>> But please note that the exception that you mentioned:>> "WSHandler: Signature: error during message> procesingorg.apache.ws.security.WSSecurityException: General security> error (Unexpected number of X509Data: for Signature) ...">>   occurs when you have NOT specified the correct alias of the private> key in the keystore to use as the value of the  element in the> outflowConfiguration, also the callback handler class must supply the> correct password of the private key when asked for password of that> particular alias.>> Thanks,>
 Ruchith>> On 4/6/06, Siamak Haschemi  wrote:>   >> Hello Ruchith,>>>> I think that was a misunderstanding. I already made this changes.>> I think that the problem lies in de keystore. Did you look at the script?>> Is the generation of the Keystore correct?>> Or am I missing some extra paramaters?>>>> I would be very thankful If you could send me a litte projekt including>> the generation of self-signing Certificates.>>>>>> Thank you very much,>>>> Siamak Haschemi>>>>>> Ruchith Fernando schrieb:>>     >>> Hi,>>>>>> Please note that you will have to provide the configuration>>> information according to set the new keystores. Simply replacing the>>> keystores in the security sample will not
 help.>>>>>>   - You will have to set the  value in the outflowConfiguration>>> parameter to the alias of the private key in the appropriate keystore.>>>   - You will have to provide  a .properties file with the correct>>> keystore information>>>   - You will have to make sure the PasswordCallbackhandler class (impl>>> of java.auth.Callbackhandler) returns the proper passwords for the>>> required identifiers.>>>   - You will have to make sure you have all the above available in the>>> classpath of both service and client appropriately (The secUtil.jar in>>> the security sample packages all of these).>>>>>> HTH>>>>>> Thanks,>>> Ruchith>>>>>>>>> On 4/6/06, Siamak Haschemi 
 wrote:>>>>>>       >>>> Hello Ruchith.>>>>>>>> I follow you instructions. I create a script for generating the>>>> keystore. But now I got into trubble with a error:>>>>>>>> "WSHandler: Signature: error during message>>>> procesingorg.apache.ws.security.WSSecurityException: General security>>>> error (Unexpected number of X509Data: for Signature) ...">>>>>>>> If I use the original "sec.jks" from the security sample (and changing>>>> the axis2.xml user and encryptionUser param) it works. So I think>>>> there's still something wrong with my Keystore.>>>>>>>>>>>> Here is the script I use to generate the keystore.>>>> ----------------------------->>>>>>>> @echo
 off>>>> set CLIENT_KEYPASS=keyPassClient>>>> set CLIENT_STOREPASS=storePassClient>>>> set SERVER_KEYPASS=keyPassServer>>>> set SERVER_STOREPASS=storePassServer>>>>>>>> keytool -genkey -keyalg RSA -alias client -keystore client.jks -dname>>>> "cn=Client" -keypass %CLIENT_KEYPASS% -storepass %CLIENT_STOREPASS%>>>> keytool -genkey -keyalg RSA -alias server -keystore server.jks -dname>>>> "cn=Server" -keypass %SERVER_KEYPASS% -storepass %SERVER_STOREPASS%>>>>>>>> keytool -selfcert -alias client -keystore client.jks -keypass>>>> %CLIENT_KEYPASS% -storepass %CLIENT_STOREPASS%>>>> keytool -selfcert -alias server -keystore server.jks -keypass>>>> %SERVER_KEYPASS% -storepass %SERVER_STOREPASS%>>>>>>>> keytool -export -keystore
 client.jks -alias client -storepass>>>> %CLIENT_STOREPASS% -file client.cert>>>> keytool -export -keystore server.jks -alias server -storepass>>>> %SERVER_STOREPASS% -file server.cert>>>>>>>> keytool -import -noprompt -alias server -file server.cert -keystore>>>> client.jks -storepass %CLIENT_STOREPASS%>>>> keytool -import -noprompt -alias client -file client.cert -keystore>>>> server.jks -storepass %SERVER_STOREPASS%>>>>>>>> del client.cert>>>> del server.cert>>>>>>>>>>>> keytool -list -keystore client.jks -storepass %CLIENT_STOREPASS%>>>> keytool -list -keystore server.jks -storepass %SERVER_STOREPASS%>>>>>>>> pause>>>>>>>>
 ----------------------------->>>>>>>> The resulting keystores look now like this:>>>>>>>> ----------------------------->>>>>>>> Keystore-Typ: jks>>>> Keystore-Provider: SUN>>>>>>>> Ihr Keystore enthõlt 2 Eintrõge.>>>>>>>> client, 06.04.2006, keyEntry,>>>> Zertifikatsfingerabdruck (MD5):>>>> EA:30:9C:AF:FF:05:CE:91:10:6E:E8:C4:5F:B8:B5:7C>>>> server, 06.04.2006, trustedCertEntry,>>>> Zertifikatsfingerabdruck (MD5):>>>> 77:D3:A0:AB:BF:70:05:6D:38:AD:E5:23:BB:8C:1E:04>>>>>>>> ----------------------------->>>>>>>> Keystore-Typ: jks>>>> Keystore-Provider: SUN>>>>>>>> Ihr Keystore enthõlt 2
 Eintrõge.>>>>>>>> client, 06.04.2006, trustedCertEntry,>>>> Zertifikatsfingerabdruck (MD5):>>>> EA:30:9C:AF:FF:05:CE:91:10:6E:E8:C4:5F:B8:B5:7C>>>> server, 06.04.2006, keyEntry,>>>> Zertifikatsfingerabdruck (MD5):>>>> 77:D3:A0:AB:BF:70:05:6D:38:AD:E5:23:BB:8C:1E:04>>>>>>>> ----------------------------->>>>>>>> Thank you very much for your help!>>>>>>>> Siamak>>>>>>>>>>>> Ruchith Fernando schrieb:>>>>>>>>         >>>>> Hi Siamak,>>>>>>>>>> Please see my inline comments:>>>>>>>>>> On 4/6/06, Siamak Haschemi 
 wrote:>>>>>>>>>>>>>>>           >>>>>> Hello everybody.>>>>>>>>>>>> I successfully can use the security example. Within this example there>>>>>> is the keystore which ist used. I start with the example and try to>>>>>> generate my own keystore but I have no luck. Can somebody give me the>>>>>> lines to write down the console to get a keystore simmilar to the>>>>>> "sec.jks" in the "secUtil.jar" of the security example.>>>>>>>>>>>>>>>>>>             >>>>> You can use openssl and the java keytool to do this. Please see the>>>>> following shell scripts:>>>>>
 https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genCAKey.sh>>>>> https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genKeystore.sh>>>>> https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/genCertRequest.sh>>>>> https://svn.apache.org/repos/asf/webservices/wss4j/trunk/keys/signConvertImportCert.sh>>>>>>>>>>>>>>>>>>>>           >>>>>> By the way I got a question on the security example:>>>>>>>>>>>> The keystore listing shows that there are two private/public keys in the>>>>>> keystore and two signed and accepted certificates. Am I right?>>>>>>>>>>>>>>>>>>             >>>>>
 Yes>>>>>>>>>>>>>>>>>>>>           >>>>>> Keystore-Typ: jks>>>>>> Keystore-Provider: SUN>>>>>>>>>>>> Ihr Keystore enthõlt 4 Eintrõge.>>>>>>>>>>>> alice, 04.06.2005, keyEntry,>>>>>> Zertifikatsfingerabdruck (MD5):>>>>>> 57:CE:81:F1:03:C4:2C:F7:5B:1A:DE:AC:43:64:0A:84>>>>>> root, 04.06.2005, trustedCertEntry,>>>>>> Zertifikatsfingerabdruck (MD5):>>>>>> 0C:0D:00:27:BF:4B:32:63:40:A8:B2:03:96:4B:58:14>>>>>> ca, 04.06.2005, trustedCertEntry,>>>>>> Zertifikatsfingerabdruck (MD5):>>>>>> CA:0A:6D:E3:A4:9F:E8:55:98:0A:F8:10:66:35:40:C6>>>>>> bob, 04.06.2005,
 keyEntry,>>>>>> Zertifikatsfingerabdruck (MD5):>>>>>> 89:3E:86:D2:4F:9C:E7:39:B6:71:8A:EF:00:C5:89:DC>>>>>>>>>>>>>>>>>> The security example uses this keystore for both the client and the>>>>>> server. My question now is how to produce two different keystores for>>>>>> alice and bob each containing the private/public key and the certificate>>>>>> (including the public key) of the other. something like this:>>>>>>>>>>>>>>>>>>             >>>>> These are the steps to create the keystores you want:>>>>>>>>>> 1.) generate two separate keystores with self signed keys>>>>> $ keytool -genkey ...>>>>>>>>>> 2.) Export the certs of
 both private keys in the two keystores>>>>> $ keytool -export>>>>>>>>>> 3.) Import the cert of one private key to the other keystore>>>>> $ keytool -import>>>>>>>>>>>>>>>>>>>>           >>>>>> Keystore for Alice:>>>>>> - Private/Public Key of Alice>>>>>> - Certificate of Bob>>>>>>>>>>>> Keystore for Bob:>>>>>> - Private/Public Key of Bob>>>>>> - Certificate of Alice>>>>>>>>>>>>>>>>>> Does Axis2 works this such a scenario?>>>>>>>>>>>>>>>>>>             >>>>> Yes !!>>>>>>>>>>
 Thanks,>>>>> Ruchith>>>>>>>>>>>>>>>>>>>>           >>>       >>     >>   
		Blab-away for as little as 1¢/min. Make  PC-to-Phone Calls using Yahoo! Messenger with Voice.